Microsoft has warned users of potential hacker attacks. The company
has said it is “aware of targeted attacks”, which are exploiting a
“vulnerability” in its operating system to gain user rights to the
affected computers.
This issue is said to affect Microsoft Windows Vista, Windows Server 2008, Microsoft Office 2003-2010 and Microsoft Lync.
The company is investigating these attacks and has said that it will
take the appropriate action to resolve the problem, which “may include
providing a security update through our monthly release process or
providing an out-of-cycle security update, depending on customer needs”.
It has advised customers to apply workarounds, which is a setting or
configuration change. It “does not correct the underlying issue but
would help block known attack vectors before a security update is
available”.
Tagged Image File Format Flaw
Microsoft has said that the flaw is in the handling of the Tagged
Image File Format (TIFF) image files by a graphics processing component
in the affected software versions and that in order for the hackers to
be successful, it “requires user interaction”.
Dustin Childs, a communications manager, said in a
blog post
that the attacks are disguised as an email requesting potential targets
to open a specially crafted Word attachment. Once this attachment is
opened or previewed, it attempts to exploit the issue with a malformed
graphics image embedded in the document.
“An attacker who successfully exploited the vulnerability could gain
the same user rights as the logged on user,” Mr Childs said.
“An attacker could host a specially crafted website that is designed
to exploit this vulnerability and then convince a user to view the
website,” Microsoft said.
It then added: an attacker would have “no way to force users to view the attacker-controlled content”.
“Instead, an attacker would have to convince users to take action,
typically by getting them to click a link in an email message or in an
Instant Messenger message that takes users to the attacker’s website.”